|
ot Nikolai Hristov(11-04-2013)
reiting (26)
[ dobre ]
[ zle ]
Variant za otpechatvane Opasnostite ot DNSSEC protokola ili kak "suboriha"
www.spamhaus.org.
Neka da zapochnem s malko predistoriia... Kraiat na 90-te se poiavi
purvata ataka ot tipa DDoS ili Distributed Denial of Service,
ostanala v istoriiata kato smurf ataka. Nakratko - chrez
izprashtaneto na ICMP paketi s podpraven source IP adres (s IP-to
na zhertvata) do broadcast adresi na golemi mrezhi se poluchavashe
umnozhen v puti otveten trafik kum zhertvata.
Tozi tip ataki biha se osushtestvili pri nalichieto na tri
faktora:
* Izpolzvaneto na stateless protokol, pri koito ne se
ochakva obratna vruzka - naprimer ICMP, UDP;
* Nalichieto na ruteri po traseto do zhertvata, pozvoliavashti
trafik s falshiv source IP adres;
* Pozhelatelno e da ima niakakuv vid umnozhenie na trafik,
toest zhertvata da poluchi v puti poveche trafik, otkolkoto
atakuvashtiiat izprashta.
Tui kato icmp smurf atakata otdavna lesno se filtrira, i e
zalozheno na novite ruteri po default da ne otgovariat na icmp
broadcast zapitvaniia, kato che li naposleduk tozi tip ataki biaha
pozabraveni.
Ako se zapitame, koi protokol otgovaria na gorespomenatite
iziskvaniia, vednaga iznikva edin osnoven protokol v internet -
DNS. DNS raboti kakto po UDP, taka i po TCP (poveche mozhe da
prochetete za tova v edna moia statiia: http://geroyblog.blogspot.com/2012/07/dns-1-
resolvers-cache.html). Pri nalichieto po dizain na DNS cache
survuri se vizhda, che dns protokolut otgovaria i na iziskvaneto
da ima umnozhitel na trafik. V sluchaiat tova sa DNS cache
survurite.
Kakvo imam v predvid?
Neka da napravim edno rekursivno zapitvane kum niakoi dns cache
survur (naprimer google public dns - 8.8.8.8).
Zapitvane za mx zapis bez da se izpolzva TCP:
# dig mx +notcp google.com @8.8.8.8
Pri pusnat tcpdump se vizhda,che izpratenata zaiavka e 28 baita, a
polucheniiat otgovor e 136 baita.
11:26:05.900877 PPPoE [ses 0xbb] IP 192.168.1.76.64805 >
8.8.8.8.53: 26451+ MX? google.com. (28)
11:26:05.945839 PPPoE [ses 0xbb] IP 8.8.8.8.53 >
192.168.1.76.64805: 26451 5/0/0 MX aspmx.l.google.com. 10, MX
alt2.aspmx.l.google.com. 30, MX alt1.aspmx.l.google.com. 20, MX
alt3.aspmx.l.google.com. 40, MX alt4.aspmx.l.google.com. 50
(136)
Priblizitelno 4.9 puti umnozhenie na trafika. Ako napravim
zapitvane ANY - trafika se uvelichava do 546 baita, pri koeto
umnozhenieto se kachva do 19.5 puti.
Ako promenim 192.168.1.76 adresa, koito e nashiiat, slozhim tozi
na "zhertvata" i izpratim 1 megabait zaiavki kum publichniia DNS
suruvr na google, "zhertvata" shte poluchi 19.5 megabaita trafik.
Umnozhenie ima, i to ne malko, no kato tsialo ne bi triabvalo da
dostigne efekta na ICMP Smurf atakata.
Ne tolkova otdavna beshe predlozhen, priet, promenen, nadgrazhdan
mnogo puti edna nova nadstroika na tekushtiia DNS protokol, koiato
spored suzdatelite im (glavno isc.org) bi reshila problema sus
sigurnostta mu.
Tui kato i az se opletoh pri chetene na RFC (nad 20 rfc - http://www.dnssec.net/rfc)
, koito standartizirat DNSSEC i kato tsialo mnenieto mi e, che e
prekaleno uslozhnen protokol, shte go kazha na kratko.
Ideiata na DNSSEC e za vseki DNS zapis da imate podpisan sus
sertifikat korespondirasht zapis. Tova bi predotvratilo DNS cache
poisoning atakite pri polozhenie, che protokola masovo navleze
pri vsichki operatsionni sistemi - kakto survurni, taka i
klientski softuer. Ako napravim zapitvane za MX - zapis,
nablyudavame sledniiat efekt:
# dig mx +notcp +dnssec isc.org @8.8.8.8
; > DiG 9.4.1-P1 > mx +notcp +dnssec isc.org @8.8.8.8
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0,
ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;isc.org. IN MX
;; ANSWER SECTION:
isc.org. 6419 IN MX 10
mx.pao1.isc.org.
isc.org. 6419 IN MX 10
mx.ams1.isc.org.
isc.org. 6419 IN RRSIG MX 5 2 7200
20130501233249 20130401233249 50012 isc.org.
v0fb7TcHcwdjN2XZqSZfogavpS7T1ODK+rau7j1hiMJML2UdSPGpqiwf
xyizY5yIcObHmF926xebjOsg1WFPJy85Fdhv/r2uD+Ibzo7QQL3QbQbp
FqQlgpZUQHUFU/dpmZswRoZcMlRC4AhpkbsvYic4xbFV6O4z0hpgYUQ9 jgM=
;; Query time: 48 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Apr 2 11:58:14 2013
;; MSG SIZE rcvd: 251
Neka napravim zapitvane ANY zapisi za domeina isc.org:
# dig any +notcp +dnssec isc.org @8.8.8.8
; > DiG 9.4.1-P1 > any +notcp +dnssec isc.org @8.8.8.8
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 27, AUTHORITY: 0,
ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;isc.org. IN ANY
;; ANSWER SECTION:
isc.org. 5644 IN SOA ns-
int.isc.org. hostmaster.isc.org. 2013040200 7200 3600 24796800
3600
isc.org. 5644 IN RRSIG SOA 5 2
7200 20130501233249 20130401233249 50012 isc.org.
k/eRQT9zlZu+9HQr3WLl5ZwCAagwbD4cKkbYX7poLGzWFDWbgPC2ZN6J
ZmNEQnz6dS4GYiuFX5NiEEyxHAVlpxUz6mdBM21TjHEH6OBqOsyOHMbA
RMi9ijCN2coY2X28uhZ/cpcZccTPXQwEIN2PwqILVxbMq31+2bEXUZa5 DOY=
isc.org. 5644 IN NS sfba.sns-
pb.isc.org.
isc.org. 5644 IN NS ams.sns-
pb.isc.org.
isc.org. 5644 IN NS
ns.isc.afilias-nst.info.
isc.org. 5644 IN NS ord.sns-
pb.isc.org.
isc.org. 5644 IN RRSIG NS 5 2 7200
20130501233249 20130401233249 50012 isc.org.
opQ2IchpAm1TXFiXBDxCeHwnFDBWzn41PCeoKRpLmLqSGyx867360zSc
sBDXtE4Co4Z5IG7S4jUVZd8iXz0Y3CK3FZ/Yd1PD9c3T0Xwjku+HvF8j
/h9LrlnFGi40i/4k1vE/5sTb+U4NEYKLowKb/gsoXRgVrgiASKRnAdsw vXg=
isc.org. 5644 IN A
149.20.64.42
isc.org. 5644 IN RRSIG A 5 2 7200
20130501233249 20130401233249 50012 isc.org.
Y9xN05o0BP+l2S6wTHlIPbLo8DuBVZOhZZ750IO6nS+3cHZ0XJEa3DzL
2O1gXQW8kCadF4yrLFT5XmBhfDbI94VBzBiYGvZ2vRcjPYtto4O2sxPw
NQ+u6e/IcnHIIdueklz1dI8LgLn8+ZwtZ9+CUCRMhjwQtlejbxQEjLBe Gmo=
isc.org. 5644 IN MX 10
mx.ams1.isc.org.
isc.org. 5644 IN MX 10
mx.pao1.isc.org.
isc.org. 5644 IN RRSIG MX 5 2 7200
20130501233249 20130401233249 50012 isc.org.
v0fb7TcHcwdjN2XZqSZfogavpS7T1ODK+rau7j1hiMJML2UdSPGpqiwf
xyizY5yIcObHmF926xebjOsg1WFPJy85Fdhv/r2uD+Ibzo7QQL3QbQbp
FqQlgpZUQHUFU/dpmZswRoZcMlRC4AhpkbsvYic4xbFV6O4z0hpgYUQ9 jgM=
isc.org. 5644 IN TXT "$Id:
isc.org,v 1.1791 2013-03-27 00:02:30 ziegast Exp $"
isc.org. 5644 IN TXT "v=spf1 a
mx ip4:204.152.184.0/21 ip4:149.20.0.0/16 ip6:2001:04F8::0/32
ip6:2001:500:60::65/128 ~all"
isc.org. 5644 IN RRSIG TXT 5 2
7200 20130501233249 20130401233249 50012 isc.org.
qW2z10OjWeBpQ34YhbbluUFK5N8ELTxDXsa3dN1LI+/KEu9F/rzWh+KL
ndoq2PsMeznJ6vTFVOSwm+602sIPb++cajgg1+fZAewNAWALJpEYLpYp
TgIwbwZo7NoyGo1EUmMjqslFP+2uOgylIl8MHv/+XzbNivBZBNG0n4eQ Rb8=
isc.org. 5644 IN AAAA
2001:4f8:0:2::d
isc.org. 5644 IN RRSIG AAAA 5 2
7200 20130501233249 20130401233249 50012 isc.org.
Vj/4QQYtDNPw8oNU3H7lXSIKsQQLSOQiyTq1oYgbCPp4sWcx8RMyW64e
962azK7av5/NqE0c4WSQ2NXN/rBL17U7iwdeFkVO8ZVQSNGp7Kanah8T
LCzhpNqcV0Op2PIor1JgcuNXiYLp3b5H0KpAI+Ibue3wzfsr48LYs0D2 7ik=
isc.org. 5644 IN NAPTR 20 0 "S"
"SIP+D2U" "" _sip._udp.isc.org.
isc.org. 5644 IN RRSIG NAPTR 5 2
7200 20130501233249 20130401233249 50012 isc.org.
pXwjHqeueJk64dm4FJKz7JuwBjaa2CK3zJ4sODtnnsj7yeesTHckfnHk
O+DJUVlgXf/GbxQ0tQ1y+qZXjmHKmsjp+oapsmebC9T6pZZwy3EHznQW
KLDhhcnbLztyXWMS8o0cDm1uk35YhGvfhLpgMV2grfVaX0WU8VZTLLjq HBI=
isc.org. 2044 IN NSEC
_adsp._domainkey.isc.org. A NS SOA MX TXT AAAA NAPTR RRSIG NSEC
DNSKEY SPF
isc.org. 2044 IN RRSIG NSEC 5 2
3600 20130501233249 20130401233249 50012 isc.org.
fg3o/hFWeDIoFMo/pyKRGAz+LiE5f4HTJq6YvunBP/UpRenEFxZhVBxa
tTn0v5ZeNq1XzLTm1JWl0yKUVmYwaHDnrH86j35iK+GnJ42UyQo0iv5r
PHd6rakaPmMfq+6TK9FP1kUjJDgH/syYDRbSHbaynIBTR2zhpB8Y45xM Xa0=
isc.org. 5644 IN DNSKEY 256 3 5
BQEAAAABwuHz9Cem0BJ0JQTO7C/a3McR6hMaufljs1dfG/inaJpYv7vH
XTrAOm/MeKp+/x6eT4QLru0KoZkvZJnqTI8JyaFTw2OM/ItBfh/hL2lm
Cft2O7n3MfeqYtvjPnY7dWghYW4sVfH7VVEGm958o9nfi79532Qeklxh
x8pXWdeAaRU=
isc.org. 5644 IN DNSKEY 257 3 5
BEAAAAOhHQDBrhQbtphgq2wQUpEQ5t4DtUHxoMVFu2hWLDMvoOMRXjGr
hhCeFvAZih7yJHf8ZGfW6hd38hXG/xylYCO6Krpbdojwx8YMXLA5/kA+
u50WIL8ZR1R6KTbsYVMf/Qx5RiNbPClw+vT+U8eXEJmO20jIS1ULgqy3
47cBB1zMnnz/4LJpA0da9CbKj3A254T515sNIMcwsB8/2+2E63/zZrQz
Bkj0BrN/9Bexjpiks3jRhZatEsXn3dTy47R09Uix5WcJt+xzqZ7+ysyL
KOOedS39Z7SDmsn2eA0FKtQpwA6LXeG2w+jxmw3oA8lVUgEf/rzeC/bB
yBNsO70aEFTd
isc.org. 5644 IN RRSIG DNSKEY 5 2
7200 20130501230129 20130401230129 12892 isc.org.
UFxebBneKnZHasXdUtdD6LsSbso2twRVuVOLuG6sMdfkV2io52GASy/a
xIHHAJTOZYHOGyfqCrEKDkTJ3V6e0i9g52B5dy8IsAZY5IaGK4OmcCWr
utkqzzBofeLkWP0UqNMc7xZsi6zD4CPqqi1sxT1sb7/fimImTTBJnr44
hcES7tVDttq9Nd0/wc+sSyFo9KIkhPNQgIc/t2SZ0jGJqJOiOnUI3SkH
qVAkn+a0Km1cbkqd19JxMEPc+KP1ke4InCQPD+yHS/wWsjeJ2Ajh97vp
+1HzivRA9rTRr20P3HrolyVzOPvV8r4n6LXmJDOHRfAnwzq+vnWqNPlE
sLO6pQ==
isc.org. 5644 IN RRSIG DNSKEY 5 2
7200 20130501230129 20130401230129 50012 isc.org.
vxFVIb9MIY4AnMTiADKkAtFo0nwgNh4B2UTSCDF7m5q3S8iJGTlfO3EK
PK0ilpinqnHXFWx+k3UiR8eRf7xMPBKONjNA8GdcAZ7XgdPgi2Ri0yOs
DXApZLKgByIkc5B976UKJ5wRFR/eGs5Loqby+j6HHpeNRS0v5N2rfbUI 3kU=
isc.org. 5644 IN SPF "v=spf1 a
mx ip4:204.152.184.0/21 ip4:149.20.0.0/16 ip6:2001:04F8::0/32
ip6:2001:500:60::65/128 ~all"
isc.org. 5644 IN RRSIG SPF 5 2
7200 20130501233249 20130401233249 50012 isc.org.
ZBxS3Pg0D3apDPAbIUcRVTBkIaScqYyWt2jUkeWbSZ4FrEpY4V8ZA2VN
vsw/uu5WcAnxu42xOjLqGi0tLbpbcfKu7NnzijgzJcxGaBw3iIJrK9lS
htqMysY1F14hn4r3NXzfN9hWps0v7IKPAbnKQHKtcThDjF7hE7S7EbLU gy4=
;; Query time: 48 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Apr 2 11:54:43 2013
;; MSG SIZE rcvd: 3064
Tuk se vizhda, che pri zaiavka ot 36 baita se poluchava
otgovor ot 3064 ili 85.1 puti poveche trafik! Sega
ako smenim source IP adresa na paketa s tozi na zhertvata i tova
bude napraveno ot botnet ot 50000 zombirani kompyutri, doseshtate
li se kakvo se poluchava?
Kato tsialo, izvodut e, che DNSSEC protokola po dizain e
velikolepen umnozhitel na trafik. Naskoro proveriavah, i se
okaza, che vsichki osnovni domeini kato .com, .net, .org, .info i
t.n., kakto i cc-domeinite (country code) kato .bg, .ru, .se i
t.n. sa podpisani i poddurzhat DNSSEC.
# dig any +dnssec com @8.8.8.8
; > DiG 9.4.1-P1 > any +dnssec com @8.8.8.8
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 21, AUTHORITY: 0,
ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;com. IN ANY
;; ANSWER SECTION:
com. 899 IN SOA a.gtld-
servers.net. nstld.verisign-grs.com. 1364891984 1800 900 604800
86400
com. 899 IN RRSIG SOA 8 1 900
20130409083944 20130402072944 23975 com.
ifejuy4CNjIISV4kpWe1jjrwM03nluADb6K43W4px4UWPj0JI8bQ61oN
KEs1708MkGIbH9hLehTTEwKEZ0sKj91LXUyiWzIPF/oCjWkX+IeZYCTM
tAM1euj+hOiaNiPVtQBChcgaQ0CiJM+DFxrofs/uk0Xcytvxw0MoJwVp DIY=
com. 21599 IN NS j.gtld-
servers.net.
com. 21599 IN NS g.gtld-
servers.net.
com. 21599 IN NS i.gtld-
servers.net.
com. 21599 IN NS k.gtld-
servers.net.
com. 21599 IN NS l.gtld-
servers.net.
com. 21599 IN NS d.gtld-
servers.net.
com. 21599 IN NS c.gtld-
servers.net.
com. 21599 IN NS m.gtld-
servers.net.
com. 21599 IN NS a.gtld-
servers.net.
com. 21599 IN NS h.gtld-
servers.net.
com. 21599 IN NS f.gtld-
servers.net.
com. 21599 IN NS e.gtld-
servers.net.
com. 21599 IN NS b.gtld-
servers.net.
com. 21599 IN RRSIG NS 8 1
172800 20130408041926 20130401030926 23975 com.
AOYql4O2Zi6v013LUQXSo5K0VuzmfSZzb9Qk/UEAlziHoDUVDvhkceQu
8nseo8PKKJZwhmjhRde5mIuVFfTHIb6Hbv+29UnXhBVguD54I4J7lbRE
BEMnJIjrJSs84W8uUgiUsZ4dKuMU0pTXcEonLIfQuUNfltuTifYOOPm+ Mk8=
com. 21599 IN DNSKEY 257 3 8
AQPDzldNmMvZFX4NcNJ0uEnKDg7tmv/F3MyQR0lpBmVcNcsIszxNFxsB
fKNW9JYCYqpik8366LE7VbIcNRzfp2h9OO8HRl+H+E08zauK8k7evWEm
u/6od+2boggPoiEfGNyvNPaSI7FOIroDsnw/taggzHRX1Z7SOiOiPWPN
IwSUyWOZ79VmcQ1GLkC6NlYvG3HwYmynQv6oFwGv/KELSw7ZSdrbTQ0H
XvZbqMUI7BaMskmvgm1G7oKZ1YiF7O9ioVNc0+7ASbqmZN7Z98EGU/Qh
2K/BgUe8Hs0XVcdPKrtyYnoQHd2ynKPcMMlTEih2/2HDHjRPJ2aywIpK
Nnv4oPo/
com. 21599 IN DNSKEY 256 3 8
AQPcnY9mVa8t+3ab9SsbKjGh38DXxdCZsL0sCdUEzyj1b3nN9BFLolfM
o7PyfRhOw29YvgwHq1wRB2nRWcOpuUZhgZNOxWqLoOu84KR7HtQmY1yZ
uSkh9WA6mUDQT+i/7zpUVbtmZqNJm5SuQZFE0hn+N5CMxnXOLOsHJsn6
WvB1sQ==
com. 21599 IN RRSIG DNSKEY 8 1
86400 20130408182533 20130401182033 30909 com.
ohJvhu03H5M8PrkIcQDoozJjpokwWKKNfFqUXeU/pdvlY3X63IyJWXTZ
8qBp0lvhYWKHTpmGCCDBTC1X/DO+RXyYZAiQBeh8MVjyW4ZC8gz2/lS7
NTGRHmhCOFjsvYk6WNHy9vUqUomNuDDD9qIAS1HkYCmNGuo/2umLb+zU
lsU8gcl6TyZIyepbeuTZQ4rkf+O53yJLngitaAoVCDI+hJE0OWZNAYg0
8AmJyuEZcnYlFUbuqR/SnL5FAfdo7XY9I5y5eJnWRT1YoFFcp6NTwZl8
KLlSLRhfLmIsP8mPGf3inJNnJ79MB6m6aArvo5aXWDhBM4HxbjkRZlO3
+cBu4g==
com. 21599 IN TYPE51 \# 5
0100000000
com. 21599 IN RRSIG TYPE51 8 1
86400 20130408041926 20130401030926 23975 com.
2dfpD6RLPMGOM3HrPfvhSAPKb26oCeF0jX6Kd8xrCI3/YhiRJu80ilPA
5mQo9uduxAPHcn0E+G+Vu69PEmlTySbDgjZ6m4TA6LeCx1wEdX+6x7uc
Z2ksNVqQBitZnjl+3Fb+ou2ekJjSk8mUjqbsHNtz/4u2nJ4zD1/bkDcc 0Jc=
;; Query time: 326 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Apr 2 12:06:02 2013
;; MSG SIZE rcvd: 1528
Tuk stigame i do atakata sreshtu anti-spam listata spamhaus.org.
Tui kato te predostaviaha list ot spamerski IP adresi
razpredeleni chrez DNS, tazi ataka dovede do otkaz na uslugi
na tozi anti-spam dostavchik. Atakata e bila osushtestvena chrez
mnozhestvo DNS open recursive resolvers i DNSSEC protokola.
Endovremenno s tova se zabeliazva uvelichenie na spam - meilite,
koito se razprostraniavat po internet. Tova oznachava, che ataka e
koordinirana.
Kakvi sa zashtitite sreshtu tova?
V obshti linii triabva da se ogranichat UDP - zaiavkite za DNS da sa
do 512 baita ot samite ruteri po putia. Za DNSSEC da se izpolzva
samo TCP (koeto bi zabavilo otgovorite taka che niama pulno
shtastie). Rate limit na zaiavkite po UDP kum 53-ti port ot
firewalls ili ot samata implementatsiia na softuera za DNS cache
survur. Filtrirane na trafik ot spoofed source IP adresi.
Statiiata e publikuvana i na adres: ht
tp://geroyblog.blogspot.com/2013_04_01_archive.html
<< | Quake Live >>
|
|